U.S. government is ‘biggest buyer’ of zero-day vulnerabilities, report claims

When it comes to exploiting zero-days for cyberweapons and cyber-spying, China’s not the only “devil”…we are too, according to a Reuters report that claimed the U.S. government is the “biggest buyer in a burgeoning gray market where hackers and security firms sell tools for breaking into computers.”

For the first time, the Pentagon’s annual report to Congress [pdf] accused the Chinese government and military of targeting U.S. government and defense networks as well as using cyber espionage to get its hands on cutting-edge military technology. While this is not new news, it’s new for the Pentagon’s report. Also not new was China’s reaction, calling the accusations “groundless” and “hype.”

Some security experts were openly skeptical of the Pentagon’s report, which did not mention what cyberspying the U.S. does in return. The U.S. spends billions every year on “cyberdefense and constructing increasingly sophisticated cyberweapons.” NSA chief General Keith Alexander told Congress that the U.S. is “creating more than a dozen offensive cyberunits, designed to mount attacks, when necessary, at foreign computer networks.” Reuters added that the NSA and Department of Defense are “spending so heavily for information on holes in commercial computer systems, and on exploits taking advantage of them, that they are turning the world of security research on its head.”

An unnamed, former defense contractor for the U.S. said, “My job was to have 25 zero-days on a USB stick, ready to go.” Although intelligence agencies code some of their own zero-day exploits, Reuters said, “Private companies have also sprung up that hire programmers to do the grunt work of identifying vulnerabilities and then writing exploit code. The starting rate for a zero-day is around $50,000, some buyers said, with the price depending on such factors as how widely installed the targeted software is and how long the zero-day is expected to remain exclusive.”

Vendors at secret snoop conferences pimp a variety of products to assist law enforcement and intelligence agencies in spying. Vupen, which is well-known for selling zero-day exploits exclusively to governments, recently sent 12 researchers to an offensive hacking techniques conference where attendees heard talks such as “Advanced Heap Manipulation in Windows 8.” While the U.S. government sent more than a dozen people to the conference, it’s unknown whether the acquired knowledge or products are intended for spying on other governments or deploying malware for eavesdropping and remote searches, aka virtual force and Trojan horse warrants.

ReVuln is newer to the exploits-for-sale game than Vupen, but “specializes in crafting exploits for industrial control systems that govern everything from factory floors to power generators.” When “asked if they would be troubled if some of their programs were used in attacks that caused death or destruction, they said: ‘We don’t sell weapons, we sell information. This question would be worth asking to vendors leaving security holes in their products’.”

The Reuters’ article warned there are “unintended consequences” when the U.S. chooses to exploit a vulnerability instead of warning the public about the hole. If and when other countries discover the vulnerability, it could be reverse-engineered and used against U.S. corporations. One such example was the Duqu malware that was “designed to steal industrial-facility designs from Iran.” Duqu was copied by cybercriminals, who then “rolled it into ‘exploit kits,’ including one called Blackhole and another called Cool.” Despite Microsoft issuing a patch, F-Secure reported that “hackers used it last year to attack 16 out of every 1,000 U.S. computers and an even greater proportion in some other countries.”

Security researchers are increasingly reluctant to publicly report zero-days for no compensation. The vulnerability might be worth a small fortune after all; and even though Google and Facebook pay “bounties,” the companies say “they are hard-pressed to compete financially with defense-industry spending.”

Reuters reviewed a product catalogue from one large contractor, which was made available on condition the vendor not be named. Scores of programs were listed. Among them was a means to turn any iPhone into a room-wide eavesdropping device. Another was a system for installing spyware on a printer or other device and moving that malware to a nearby computer via radio waves, even when the machines aren’t connected to anything.

There were tools for getting access to computers or phones, tools for grabbing different categories of data, and tools for smuggling the information out again. There were versions of each for Windows, Apple and Linux machines. Most of the programs cost more than $100,000, and a solid operation would need several components that work together. The vast majority of the programs rely on zero-day exploits.

ChinaDaily reported on the intensifying war of words between the U.S. and China regarding cyberattacks. “Rick Falkvinge, a Swedish tech entrepreneur and politician, said Washington ‘needs to clean up its own act before trying to assert the moral high ground over the Chinese for their alleged hack attacks on the U.S.'” Falkvinge added that “the U.S.-led Echelon program, a system to intercept communications, is used by the U.S. not only for military purposes but also to give U.S. industries ‘the upper hand in purely industrial applications, in competition with international counterparts.'”

Other critics say the U.S. has no room to point fingers about cyberweapons after Stuxnet. America is “home to largest number of botnets” according to McAfee. PressTV reported, “Data from Germany’s Deutsche Telekom shows that far more attacks against its networks come from the United States. U.S.-based HostExploit, which detects and exposes internet malpractice, also says the U.S. has the world’s most malicious servers.”

The Reuters special report “U.S. cyberwar strategy stokes fear of blowback” is interesting and well worth your time to read it.

Like this? Here’s more posts:

• Journalist threatened, warned not to write about face-recognition at Statue of Liberty
• Microsoft confirms zero-day vulnerability exploiting IE8
• Skype accounts easily hijacked via Skype Support, warns hacker
• Microsoft: What are people really asking for when they ask for a Start button?
• Post Boston: Privacy advocates warn about coming tsunami of surveillance cameras
• Officials to investigate DHS ammunition purchases
• Verizon report: China behind 96% of all cyber-espionage data breaches
• Former FBI agent: All phone calls recorded, no digital communication secure
• Microsoft: Facebook Home is a copycat, Windows Phone is the ‘real thing’
• AV-Test issues first Windows 8 antivirus solution ratings
• Google’s patent for email snooping? Microsoft offers your boss email spying powers now
• Hacktivists take on ‘Olympus Has Fallen’ scare tactics style

Follow me on Twitter @PrivacyFanatic